draft-ietf-netlmm-threats-02.txt   draft-ietf-netlmm-threats-03.txt 
Network Working Group C. Vogt Network Working Group C. Vogt
Internet-Draft Universitaet Karlsruhe (TH) Internet-Draft Universitaet Karlsruhe (TH)
Expires: January 24, 2007 J. Kempf Expires: February 22, 2007 J. Kempf
DoCoMo USA Labs DoCoMo USA Labs
July 23, 2006 August 21, 2006
Security Threats to Network-Based Localized Mobility Management Security Threats to Network-Based Localized Mobility Management
draft-ietf-netlmm-threats-02.txt draft-ietf-netlmm-threats-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 35 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 24, 2007. This Internet-Draft will expire on February 22, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document discusses security threats to network-based localized This document discusses security threats to network-based localized
mobility management. Threats may occur on two interfaces: the mobility management. Threats may occur on two interfaces: the
interface between an LMA and a MAG, as well as the interface between interface between an LMA and a MAG, as well as the interface between
a MAG and a mobile node. Threats to the former interface impact the a MAG and a mobile node. Threats to the former interface impact the
localized mobility management protocol itself. localized mobility management protocol itself.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Threats to Interface between LMA and MAG . . . . . . . . . . . 4 2. Threats to Interface between LMA and MAG . . . . . . . . . . . 4
2.1 LMA Compromise or Impersonation . . . . . . . . . . . . . 4 2.1 LMA Compromise or Impersonation . . . . . . . . . . . . . 4
2.2 MAG Compromise or Impersonation . . . . . . . . . . . . . 5 2.2 MAG Compromise or Impersonation . . . . . . . . . . . . . 5
2.3 Man in the Middle Attack . . . . . . . . . . . . . . . . . 6 2.3 Man in the Middle Attack . . . . . . . . . . . . . . . . . 7
2.4 Denial of Service Attack on the LMA . . . . . . . . . . . 7 3. Threats to Interface between MAG and Mobile Node . . . . . . . 8
3. Threats to Interface between MAG and Mobile Node . . . . . . . 7 3.1 Mobile Node Compromise or Impersonation . . . . . . . . . 8
3.1 Network Access Identity . . . . . . . . . . . . . . . . . 8 3.2 Man in the Middle Attack . . . . . . . . . . . . . . . . . 10
3.2 Impersonation of Mobile Nodes . . . . . . . . . . . . . . 8 4. Threats from the Internet . . . . . . . . . . . . . . . . . . 10
3.3 Man in the Middle Attack . . . . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 7. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 12
6. Acknowledgment . . . . . . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
7. Informative References . . . . . . . . . . . . . . . . . . . . 11 8.1 Normative References . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12 8.2 Informative References . . . . . . . . . . . . . . . . . . 13
A. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . 14 A. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Intellectual Property and Copyright Statements . . . . . . . . 17
1. Introduction 1. Introduction
The network-based localized mobility management (NETLMM) architecture The network-based localized mobility management (NETLMM) architecture
[1] supports movement of IPv6 mobile nodes locally within a domain [1] supports movement of IPv6 mobile nodes locally within a domain
without requiring mobility support in the mobile nodes' network without requiring mobility support in the mobile nodes' network
stacks. A mobile node can keep its IP address constant as it moves stacks. A mobile node can keep its IP address constant as it moves
from link to link, avoiding the signaling overhead and latency from link to link, avoiding the signaling overhead and latency
associated with changing the IP address. While software specifically associated with changing the IP address. While software specifically
for localized mobility management is not required on the mobile node, for localized mobility management is not required on the mobile node,
IP-layer movement detection software may be necessary, and driver IP-layer movement detection software may be necessary, and driver
software for link-layer mobility is prerequisite. software for link-layer mobility is prerequisite.
The IP addresses of mobile nodes have a prefix that routes to a The IP addresses of mobile nodes have a prefix that routes to a
localized mobility anchor (LMA). This LMA maintains an individual localized mobility anchor (LMA). The LMA maintains an individual
route for each mobile node. Any particular mobile node's route route for each registered mobile node. Any particular mobile node's
terminates at a mobile access gateway (MAG) which the mobile node route terminates at a mobile access gateway (MAG) which the mobile
uses as a default router on its current access link. MAGs are node uses as a default router on its current access link. MAGs are
responsible for updating the mobile node's route on the LMA as the responsible for updating the mobile node's route on the LMA as the
mobile node moves. The localized mobility management architecture mobile node moves. A MAG detects the arrival of a mobile node on its
local access link based on handoff signaling that the mobile node
pursues. The MAG may additionally monitor connectivity of the mobile
node in order to recognize when the mobile node has left the local
access link. The localized mobility management architecture
therefore has two interfaces: therefore has two interfaces:
1. The interface between MAGs and the LMA where route update 1. The interface between a MAG and an LMA where route update
signaling occurs. signaling occurs.
2. The interface between mobile nodes and their currently selected 2. The interface between a mobile node and its current MAG where
MAGs where link-layer handoff signaling and possibly IP-layer handoff signaling and other link maintenance signaling occurs.
movement detection signaling occurs.
The localized mobility management architecture specifies no The localized mobility management architecture specifies no
standardized protocol for a MAG to detect the arrival or departure of standardized protocol for a MAG to detect the arrival or departure of
mobile nodes on its local link and initiate route update signaling mobile nodes on its local link and accordingly initiate route update
with the LMA. An appropriate mechanism may be entirely implemented signaling with the LMA. An appropriate mechanism may be entirely
at the link layer, such as is common for cellular networks. In that implemented at the link layer, such as is common for cellular
case, the IP layer never detects any movement, even when a mobile networks. In that case, the IP layer never detects any movement,
node moves from one link to another handled by a different MAG. If even when a mobile node moves from one link to another handled by a
the link layer does not provide the necessary functionality, the different MAG. If the link layer does not provide the necessary
mobile node must perform active IP-layer movement detection signaling functionality, the mobile node must perform active IP-layer movement
so as to trigger route update signaling at the MAG. detection signaling so as to trigger route update signaling at the
MAG. In either case, the decisive handoff signaling is bound to a
mobile node identity, which is established when the mobile node
initially connects to the domain. For some wireless access
technologies, the mobile node identity may have to be re-established
on every link-layer handoff.
This document discusses security threats on both interfaces of Vulnerabilities in either interface of the localized mobility
localized mobility management. The discussion is limited to threats management architecture may entail new security threats which go
specific to localized mobility management; threats to IPv6 in general beyond those that already exist in IPv6. Potential attack objectives
are documented in [2]. may be to roam at the cost of a legitimate mobile node, interpose in
a mobile node's communications from a position off link, or cause
denial of service to a mobile node or to the localized mobility
management domain as a whole. This document identifies and discusses
security threats on both interfaces of the localized mobility
management architecture. It is limited to threats which are peculiar
to localized mobility management; threats to IPv6 in general are
documented in [3].
1.1 Terminology 1.1 Terminology
The terminology in this document follows the definitions in [3], with The terminology in this document follows the definitions in [2], with
those revisions and additions from [1]. In addition, the following those revisions and additions from [1]. In addition, the following
definition is used: definition is used:
Network access identity Mobile node identity
An identity established for the mobile node during network access An identity established for the mobile node when initially
authentication that allows the network to unambiguously identify connecting to the domain. It allows the localized mobility
the mobile node for signaling purposes. The network access management domain to definitively and unambiguously identify the
identity may, e.g., be bound to a link-layer session key, a mobile node upon handoff for route update signaling purposes. The
network access identifier (NAI) [4], or a SEND public key [5]. mobile node identity is conceptually independent of the mobile
node's IP or link-layer addresses, but it must be securely bound
to the mobile node's handoff signaling.
2. Threats to Interface between LMA and MAG 2. Threats to Interface between LMA and MAG
The localized mobility management protocol executed on the interface The localized mobility management protocol executed on the interface
between the LMA and a MAG serves to establish, update, and tear down between an LMA and a MAG serves to establish, update, and tear down
routes for data plane traffic of mobile nodes. Threats to this routes for data plane traffic of mobile nodes. Threats to this
interface can be separated into compromise or impersonation of a interface can be separated into compromise or impersonation of a
legitimate LMA, compromise or impersonation of a legitimate MAG, man- legitimate LMA, compromise or impersonation of a legitimate MAG, and
in-the-middle attacks, and denial-of-service attacks on the LMA. man-in-the-middle attacks.
2.1 LMA Compromise or Impersonation 2.1 LMA Compromise or Impersonation
A compromised LMA can ignore routing updates from a legitimate MAG, A compromised LMA can ignore routing updates from a legitimate MAG,
or forge routing updates for a victim mobile node in order to or forge routing updates for a victim mobile node in order to
redirect or deny the mobile node's traffic. Since data plane traffic redirect or deny the mobile node's traffic. Since data plane traffic
for all mobile nodes routes through the LMA, a compromised LMA can for mobile nodes routes through the LMA, a compromised LMA can also
also intercept, inspect, modify, redirect, or drop such traffic on a intercept, inspect, modify, redirect, or drop such traffic on a MAG
MAG supported by the LMA. The attack can be conducted transiently, supported by the LMA. The attack can be conducted transiently, to
to selectively disable traffic for any particular mobile node or MAG selectively disable traffic for any particular mobile node or MAG at
at particular times. particular times.
Moreover, a compromised LMA may manipulate its routing table such Moreover, a compromised LMA may manipulate its routing table such
that all packets are directed towards a single MAG. This may result that all packets are directed towards a single MAG. This may result
in a DoS attack against that MAG and its attached link. in a DoS attack against that MAG and its attached link.
These threats also emanate from an attacker which tricks a MAG into These threats also emanate from an attacker which tricks a MAG into
believing that it is the legitimate LMA. This attacker can cause the believing that it is a legitimate LMA. This attacker can cause the
MAG to conduct route update signaling with the attacker instead of MAG to conduct route update signaling with the attacker instead of
with the legitimate LMA, enabling it to ignore route updates from the with the legitimate LMA, enabling it to ignore route updates from the
MAG, or forge route updates in order to redirect or deny a victim MAG, or forge route updates in order to redirect or deny a victim
mobile node's traffic. The attacker does not necessarily have to be mobile node's traffic. The attacker does not necessarily have to be
on the original control plane path between the legitimate LMA and the on the original control plane path between the legitimate LMA and the
MAG, provided that it can somehow make its presence known to the MAG. MAG, provided that it can somehow make its presence known to the MAG.
E.g., the IP address of a mobility anchor point in hierarchical E.g., the IP address of a mobility anchor point in hierarchical
Mobile IPv6 mobility management [6] may be proliferated across a Mobile IPv6 mobility management [4] may be proliferated across a
domain hop by hop in Router Advertisement messages. Failure to domain hop by hop in Router Advertisement messages. Failure to
properly authenticate a comparable mechanism for localized mobility properly authenticate a comparable mechanism for localized mobility
management would allow an attacker to establish itself as a rouge management would allow an attacker to establish itself as a rogue
LMA. LMA.
The attacker may further be able to intercept, inspect, modify, The attacker may further be able to intercept, inspect, modify,
redirect, or drop data plane traffic to and from a mobile node. This redirect, or drop data plane traffic to and from a mobile node. This
is obvious if the attacker is on the original data plane path between is obvious if the attacker is on the original data plane path between
the legitimate LMA and the mobile node's current MAG, which may the legitimate LMA and the mobile node's current MAG, which may
happen independent of whether or not the attacker is on the original happen independent of whether or not the attacker is on the original
control plane path. If the attacker is not on this path, it may be control plane path. If the attacker is not on this path, it may be
able to leverage the localized mobility management protocol to able to leverage the localized mobility management protocol to
redefine the prefix that the mobile node uses in IP address redefine the prefix that the mobile node uses in IP address
skipping to change at page 5, line 45 skipping to change at page 6, line 15
route for the mobile node. In general, forgery of a subnet prefix in route for the mobile node. In general, forgery of a subnet prefix in
link state or distance vector routing protocols requires support of link state or distance vector routing protocols requires support of
multiple routers in order to obtain a meaningful change in forwarding multiple routers in order to obtain a meaningful change in forwarding
behavior. But a bogus host route is likely to take precedence over behavior. But a bogus host route is likely to take precedence over
the routing information advertised by legitimate routers, which is the routing information advertised by legitimate routers, which is
usually less specific, hence the attack should succeed even if the usually less specific, hence the attack should succeed even if the
attacker is not supported by other routers. A difference between attacker is not supported by other routers. A difference between
redirection in a routing protocol and redirection in localized redirection in a routing protocol and redirection in localized
mobility management is that the former impacts the routing tables of mobility management is that the former impacts the routing tables of
multiple routers, whereas the latter involves only the compromised multiple routers, whereas the latter involves only the compromised
MAG and the LMA. MAG and an LMA.
A compromised MAG can further ignore the presence of a mobile node on Moreover, a compromised MAG can ignore the presence of a mobile node
its local access link and refrain from registering the mobile node at on its local access link and refrain from registering the mobile node
the LMA. The mobile node then loses its traffic. Attacks that the at an LMA. The mobile node then loses its traffic. The compromised
MAG can mount on its access link interface are common for any regular MAG may further be able to cause interruption to a mobile node by
IPv6 access router [2]. deregistering the mobile node at the LMA, pretending that the mobile
node has powered down. The mobile node then needs to reinitiate the
network access authentication procedure, which the compromised MAG
may prevent repeatedly until the mobile node moves to a different
MAG. The mobile node should be able to handle this situation, but
the recovery process may be lengthy and hence impair ongoing
communication sessions to a significant extent.
Moreover, a compromised MAG may be able to cause interruption to a Attacks that the MAG can mount on its access link interface are
mobile node by deregistering the mobile node at the LMA, pretending common for any regular IPv6 access router [3].
that the mobile node has powered down. The mobile node then needs to
reinitiate the network access authentication procedure, which the Denial of service against an LMA is another threat of MAG subversion.
compromised MAG may prevent repeatedly until the mobile node moves to The compromised MAG can trick the LMA into believing that a high
a different MAG. The mobile node should be able to handle this number of mobile nodes have attached to the MAG. The LMA will then
situation, but the recovery process may be lengthy and hence impair establish a routing table entry for each of the non-existing mobile
ongoing communication sessions to a significant extent. nodes. The unexpected growth of the routing table may eventually
cause the LMA to reject legitimate route update requests. It may
also decrease the forwarding speed for data plane packets due to
higher route lookup latencies, and it may for the same reason slow
down the responsiveness to control plane packets. Another adverse
side effect of a high number of routing table entries is that the
LMA, and hence the localized mobility management domain as a whole,
becomes more susceptible to flooding packets from external attackers
(see Section 4). The high number of superfluous routes increases the
probability that a flooding packet, sent to a random IP address
within the localized mobility management domain, matches an existing
routing table entry at the LMA and gets tunneled to a MAG, which in
turn performs address resolution [5] on the local access link. At
the same time, fewer flooding packets can be dropped directly at the
LMA due to a nonexistent routing table entry.
All of these threats apply not just to a MAG that is compromised, but All of these threats apply not just to a MAG that is compromised, but
also to an attacker that manages to counterfeit the identity of an also to an attacker that manages to counterfeit the identity of an
authorized MAG in interacting with both mobile nodes and the LMA. authorized MAG in interacting with both mobile nodes and an LMA.
Such an attacker can behave towards mobile nodes like a legitimate Such an attacker can behave towards mobile nodes like a legitimate
MAG and engage the LMA in route update signaling. The attack may be MAG and engage an LMA in route update signaling. In a related
conducted transiently, to selectively disable traffic for any attack, the perpetrator eavesdrops on signaling packets exchanged
particular mobile node at particular times. between an authorized MAG and an LMA and replays these packets at a
later time. These attacks may be conducted transiently, to
selectively disable traffic for any particular mobile node at
particular times.
2.3 Man in the Middle Attack 2.3 Man in the Middle Attack
An attacker that manages to interject itself between the legitimate An attacker that manages to interject itself between a legitimate LMA
LMA and a legitimate MAG can act as a man in the middle with respect and a legitimate MAG can act as a man in the middle with respect to
to both control plane signaling and data plane traffic. If the both control plane signaling and data plane traffic. If the attacker
attacker is on the original control plane path, it can forge, modify, is on the original control plane path, it can forge, modify, or drop
or drop route update packets so as to cause the establishment of route update packets so as to cause the establishment of incorrect
incorrect routes or the removal of routes that are in active use. routes or the removal of routes that are in active use. Similarly,
Similarly, an attacker on the original data plane path can intercept, an attacker on the original data plane path can intercept, inspect,
inspect, modify, redirect, and drop data plane packets sourced by or modify, redirect, and drop data plane packets sourced by or destined
destined to a victim mobile node. to a victim mobile node.
A compromised router located between the LMA and a MAG may cause A compromised router located between an LMA and a MAG may cause
similar damage. Any router on the control plane path can forge, similar damage. Any router on the control plane path can forge,
modify, or drop control plane packets, and thereby interfere with modify, or drop control plane packets, and thereby interfere with
route establishment. Any router on the data plane path can route establishment. Any router on the data plane path can
intercept, inspect, modify, and drop data plane packets, or rewrite intercept, inspect, modify, and drop data plane packets, or rewrite
their IP headers so as to divert the packets from their original IP headers so as to divert the packets from their original path.
path.
An attacker between the LMA and a MAG may further impersonate the MAG An attacker between an LMA and a MAG may further impersonate the MAG
towards the LMA and vice versa in route update signaling. The towards the LMA and vice versa in route update signaling. The
attacker can so interfere with route establishment even if it is not attacker can so interfere with route establishment even if it is not
on the original control plane path between the LMA and the MAG. An on the original control plane path between the LMA and the MAG. An
attacker off the original data plane path may undertake the same to attacker off the original data plane path may undertake the same to
cause inbound data plane packets destined to the mobile node to be cause inbound data plane packets destined to the mobile node to be
routed first from the LMA to the attacker, and from there to the routed first from the LMA to the attacker, and from there to the
mobile node's MAG and finally to the mobile node itself. As mobile node's MAG and finally to the mobile node itself. As
explained in Section 2.1, here, too, it depends on the specific data explained in Section 2.1, here, too, it depends on the specific data
plane forwarding mechanism within the localized mobility management plane forwarding mechanism within the localized mobility management
domain whether or not the attacker can influence the route of domain whether or not the attacker can influence the route of
outgoing data plane packets sourced by the mobile node. outgoing data plane packets sourced by the mobile node.
2.4 Denial of Service Attack on the LMA
An attacker may launch a denial-of-service attack on the LMA by
sending packets to arbitrary IP addresses which are potentially in
use by mobile nodes within the localized mobility management domain.
Like a border router, the LMA is in a topological position through
which all data plane traffic goes, so it must process the flooding
packets and perform a routing table lookup for each of them. The LMA
can discard packets for which the IP destination address is not
registered in the routing table. But other packets must be
encapsulated and forwarded. A target MAG as well as any mobile nodes
attached to its access link are also likely to suffer damage because
the unrequested packets must be decapsulated and consume link
bandwidth as well as processing capacities on the receivers. This
threat is in principle the same as for denial of service on a regular
IPv6 border router, but because either the routing table lookup
enables the LMA to drop a flooding packet early or, on the contrary,
additional tunneling workload is required, the impact of an attack
against localized mobility management may be different.
In a related attack, the villain manages to obtain a globally
routable IP address of an LMA or a different network entity within
the localized mobility management domain and perpetrates a denial-of-
service attack against that IP address. Localized mobility
management is in general somewhat resistant to such an attack because
mobile nodes need never obtain a globally routable IP address of any
entity within the localized mobility management domain. A
compromised mobile node hence cannot pass such an IP address off to a
remote attacker, limiting the feasibility of extracting information
on the topology of the localized mobility management domain. It is
still possible for an attacker to perform IP address scanning if MAGs
and LMAs have globally routable IP addresses, but the much larger
IPv6 address space makes scanning considerably more time consuming.
3. Threats to Interface between MAG and Mobile Node 3. Threats to Interface between MAG and Mobile Node
In order to detect the arrival and departure of mobile nodes and A MAG monitors the mobile nodes' link-layer handoff signaling or IP-
accordingly initiate route updates with the LMA, a MAG monitors the layer movement detection signaling in order to detect the arrival and
mobile nodes' link-layer handoff signaling or IP-layer movement departure of mobile nodes and accordingly initiate route updates with
detection signaling. Cellular access technologies utilize only the the LMA. Cellular access technologies utilize only the signaling at
signaling at the wireless link layer, and the IP stack never sees any the wireless link layer, and the IP stack never sees any change when
change when the mobile node moves from one MAG to a MAG on a the mobile node moves from one MAG to a MAG on a different link. For
different link. For non-cellular access technologies, such as IEEE non-cellular access technologies, such as IEEE 802.11 or wired
802.11 or wired Ethernet, the link-layer signaling may not hide a Ethernet, the link-layer signaling may not hide a handoff from the IP
handoff from the IP layer. Instead, IP-layer movement detection layer. Instead, IP-layer movement detection signaling may have to be
signaling may have to be performed in response to a notification from performed in response to a notification from the link layer that a
the link layer that a change in link-layer attachment has occurred. change in link-layer attachment has occurred. This signaling may
This signaling may involve extensions [7] for IPv6 Neighbor Discovery involve extensions [6] for IPv6 Neighbor Discovery [5], DHCPv6 [7],
[8], DHCPv6 [9], or additional technology-specific functionality at or additional technology-specific functionality at the IP layer.
the IP layer. In any case, the security threats on the interface
between the MAG and a mobile node are the same. They either pertain
to impersonation of the mobile node or to man-in-the-middle attacks.
3.1 Network Access Identity
In order for localized mobility management to be able to definitively
and unambiguously identify a mobile node upon handoff, the mobile
node must establish a network access identity when it initially
connects to the localized mobility managment domain. E.g., the
mobile node may authenticate itself to the domain based on its NAI
[4] and an AAA-based protocol. The network access identity is
conceptually independent of the mobile node's IP or link-layer
addresses. For some wireless access technologies, the network access
identity must be re-established on every link-layer handoff.
Localized mobility management requires the establishment of a secure Although the mobile node identity is conceptually independent of the
binding between the network access identity and either the IP mobile node's IP or link-layer addresses in either case, it must be
addresses of the mobile node, or any authentication keys associated securely bound to whatever handoff signaling of the mobile node is
with these IP addresses. The binding is used by the MAG to deduce decisive for route updates on the MAG-LMA interface, be it via an
that the mobile node has handed over onto the MAG's access link, address or otherwise. A MAG uses this binding to deduce when the
thereby providing the trigger for route update signaling to the LMA. mobile node has handed over onto the MAG's local access link, and
possibly when the mobile node leaves the local access link again,
thereby providing the trigger for route update signaling to an LMA.
The binding must be robust to spoofing because it would otherwise The binding must be robust to spoofing because it would otherwise
facilitate impersonation of the mobile node by a third party or man- facilitate impersonation of the mobile node by a third party, denial
in-the-middle attacks. of service, or man-in-the-middle attacks.
3.2 Impersonation of Mobile Nodes 3.1 Mobile Node Compromise or Impersonation
An attacker that is able to forge the network access identity of a An attacker that is able to forge the mobile node identity of a
neighboring victim mobile node can trick its MAG into redirecting the neighboring victim mobile node may be able to trick its MAG into
mobile node's packets to itself. Such an on-link attack is common redirecting the mobile node's packets to itself. Such an on-link
for any regular IPv6 network [2]. attack is common for any regular IPv6 network [3]. However, if
handoff signaling cannot definitively and unambiguously be linked
back to the legitimate mobile node identity, an attacker may further
be capable of fabricating handoff signaling of a victim mobile node
that currently attaches to a different link. The attacker can thus
trick its MAG into believing that the mobile node has handed over
onto the MAG's access link. The MAG will then initiate route update
signaling to an LMA, causing the LMA to redirect inbound data plane
packets for the mobile node to the attacker's MAG and finally to the
attacker itself. The attacker can so examine the packets that
legitimately belong to the mobile node, or discard the packets in
order to deny the mobile node service. The same can happen if a MAG
accepts from the attacker replayed handoff signaling packets which
the attacker has previously recorded from the legitimate mobile node.
However, if handoff signaling cannot definitively be linked back to The above attack is conceivable both if the attacker and the mobile
the legitimate network access identity, an attacker may be capable of node are on links that connect to different MAGs, as well as if they
fabricating handoff signaling of a victim mobile node that currently are on separate links connecting to the same MAG. In the former
attaches to a different link. The attacker can thus trick its MAG case, two MAGs would think they see the mobile node and both would
into believing that the mobile node has handed over onto the MAG's independently perform route update signaling with the LMA. In the
access link. The MAG will then initiate route update signaling to latter case, route update signaling is likely to be performed only
the LMA, causing the LMA to redirect inbound data plane packets for once, and the redirection of packets from the mobile node to the
the mobile node to the attacker's MAG and finally to the attacker
itself. The attacker can so examine the packets that legitimately
belong to the mobile node, or discard the packets and deny the mobile
node service. This is conceivable both if the attacker and the
mobile node are on links that connect to different MAGs, as well as
if they are on separate links connecting to the same MAG. In the
former case, two MAGs would think they see the mobile node and both
would independently perform route update signaling with the LMA. In
the latter case, route update signaling is likely to be performed
only once, and the redirection of packets from the mobile node to the
attacker is internal to the MAG. The mobile node can always attacker is internal to the MAG. The mobile node can always
recapture its traffic back from the attacker through another run of recapture its traffic back from the attacker through another run of
link-layer handoff signaling and/or IP-layer movement detection handoff signaling. But standard mobile nodes are generally not
signaling. But standard mobile nodes are generally not prepared to prepared to counteract this kind of attack, and even where network
counteract this kind of attack, and even where network stacks include stacks include suitable functionality, the attack may not be
suitable functionality, the attack may not be noticeable early enough noticeable early enough at the link or IP layer to quickly institute
at the link or IP layer to quickly institute countermeasures. The countermeasures. The attack is therefore disruptive at a minimum,
attack is therefore disruptive at a minimum, and may potentially and may potentially persist until the mobile node initiates signaling
persist until the mobile node initiates signaling again upon a again upon a subsequent handoff.
subsequent handoff.
Off-link impersonation attacks can be prevented at the link layer. Off-link impersonation attacks can be prevented at the link layer.
E.g., they are not possible with cellular access technologies, where E.g., they are not possible with cellular access technologies, where
the handoff signaling is completely controlled by the wireless link the handoff signaling is completely controlled by the wireless link
layer. Here, an attacker must be on the same link as the victim layer. Here, an attacker must be on the same link as the victim
mobile node in order to disrupt the negotiation between the mobile mobile node in order to disrupt the negotiation between the mobile
node and the network. Cellular access technologies also provide node and the network. Cellular access technologies also provide
other cryptographic and non-cryptographic attack barriers at the link other cryptographic and non-cryptographic attack barriers at the link
layer, which make mounting an impersonation attack, both on-link and layer, which make mounting an impersonation attack, both on-link and
off-link, very difficult. For non-cellular access technologies, off-link, very difficult. For non-cellular access technologies,
however, off-link impersonation attacks may be possible. however, off-link impersonation attacks may be possible.
3.3 Man in the Middle Attack An attacker which can forge handoff signaling messages may also cause
denial of service against the localized mobility management domain.
The attacker can trick a MAG into believing that a large number of
mobile nodes have attached to the local access link and thus induce
it to initiate route update signaling with an LMA for each mobile
node assumed on link. The result of such an attack is both
superfluous signaling overhead on the control plane as well as a high
number of needless entries in the LMA's and MAG's routing tables.
The unexpected growth of the routing tables may eventually cause the
LMA to reject legitimate route update requests, and it may cause the
MAG to ignore handoffs of legitimate mobile nodes on its local access
link. It may also decrease the LMA's and MAG's forwarding speed for
inbound and outbound data plane packets due to higher route lookup
latencies, and it may for the same reason slow down their
responsiveness to control plane packets. An adverse side effect of
this attack is that the LMA, and hence the localized mobility
management domain as a whole, becomes more susceptible to flooding
packets from external attackers (see Section 4). The high number of
superfluous routes increases the probability that a flooding packet,
sent to a random IP address within the localized mobility management
domain, matches an existing routing table entry at the LMA and gets
tunneled to a MAG, which in turn performs address resolution [5] on
the local access link. At the same time, fewer flooding packets can
be dropped directly at the LMA due to a nonexistent routing table
entry.
An attacker which can interpose between a victim mobile node and the A threat related to the ones identified above, but not limited to
MAG during link-layer handoff signaling and/or IP-layer signaling for handoff signaling, is IP spoofing [8][9]. Attackers use IP spoofing
movement detection, router discovery, and IP address configuration mostly for reflection attacks or to hide their identities. The
can mount a man-in-the-middle attack on the mobile node, spoofing the threat can be reasonably contained by a wide deployment of network
mobile node into believing that it has a legitimate connection with ingress filtering [10] in access network routers. This technique
the localized mobility management domain. The attacker can thus prevents IP spoofing to the extent that it ensures topological
intercept, inspect, modify, or selectively drop packets sourced by or correctness of IP source address prefixes in to-be-forwarded packets.
destined to the mobile node. Where the technique is deployed in an access router, packets are
forwarded only if the prefix of their IP source address is valid on
the router's local access link. An attacker can still use a false
interface identifier in combination with an on-link prefix. But
since reflection attacks typically aim at off-link targets, and the
enforcement of topologically correct IP address prefixes also limits
the effectiveness of identity concealment, network ingress filtering
has proven adequate so far. On the other hand, prefixes are not
limited to a specific link in a localized mobility management domain,
so an attacker may be able to send packets with an off-link IP source
address despite the presence of network ingress filtering. This
could make IP spoofing again more attractive.
4. Security Considerations 3.2 Man in the Middle Attack
An attacker which can interpose between a victim mobile node and a
MAG during handoff signaling, router discovery, and IP address
configuration can mount a man-in-the-middle attack on the mobile
node, spoofing the mobile node into believing that it has a
legitimate connection with the localized mobility management domain.
The attacker can thus intercept, inspect, modify, or selectively drop
packets sourced by or destined to the mobile node.
4. Threats from the Internet
A localized mobility management domain uses host routes for data
plane traffic and hence deviates from the standard IPv6 longest-
prefix-match routing. Creation, maintenance, and deletion of tese
host routes in addition cause control traffic within the localized
mobility management domain. These characteristics are transparent to
mobile nodes as well as external correspondent nodes, but the
functional differences within the domain may influence the impact
that a denial-of-service attack from the outside world can have on
the domain.
A denial-of-service attack on an LMA may be launched by sending
packets to arbitrary IP addresses which are potentially in use by
mobile nodes within the localized mobility management domain. Like a
border router, the LMA is in a topological position through which a
substantial amount of data plane traffic goes, so it must process the
flooding packets and perform a routing table lookup for each of them.
The LMA can discard packets for which the IP destination address is
not registered in its routing table. But other packets must be
encapsulated and forwarded. A target MAG as well as any mobile nodes
attached to the MAG's local access link are also likely to suffer
damage because the unrequested packets must be decapsulated and
consume link bandwidth as well as processing capacities on the
receivers. This threat is in principle the same as for denial of
service on a regular IPv6 border router, but because either the
routing table lookup enables the LMA to drop a flooding packet early
on or, on the contrary, additional tunneling workload is required,
the impact of an attack against localized mobility management may be
different.
In a related attack, the villain manages to obtain a globally
routable IP address of an LMA or a different network entity within
the localized mobility management domain and perpetrates a denial-of-
service attack against that IP address. Localized mobility
management is in general somewhat resistant to such an attack because
mobile nodes need never obtain a globally routable IP address of any
entity within the localized mobility management domain. A
compromised mobile node hence cannot pass such an IP address off to a
remote attacker, limiting the feasibility of extracting information
on the topology of the localized mobility management domain. It is
still possible for an attacker to perform IP address scanning if MAGs
and LMAs have globally routable IP addresses, but the much larger
IPv6 address space makes scanning considerably more time consuming.
5. Security Considerations
This document describes threats to network-based localized mobility This document describes threats to network-based localized mobility
management. These may either occur on the interface between the LMA management. These may either occur on the interface between an LMA
and a MAG, or on the interface between a MAG and a mobile node. and a MAG, or on the interface between a MAG and a mobile node.
Mitigation measures for the threats, as well as the security Mitigation measures for the threats, as well as the security
considerations associated with those measures, are described in the considerations associated with those measures, are described in the
respective protocol specifications [10][11] for the two interfaces. respective protocol specifications [11][12] for the two interfaces.
5. IANA Considerations 6. IANA Considerations
This document has no actions for IANA. This document has no actions for IANA.
6. Acknowledgment 7. Acknowledgment
The authors would like to thank the NETLMM working group, especially The authors would like to thank the NETLMM working group, especially
Jari Arkko, Gregory Daley, Gerardo Giaretta, Wassim Haddad, Julien Jari Arkko, Gregory Daley, Vijay Devarapalli, Lakshminath Dondeti,
Laganier, Lakshminath Dondeti, Henrik Levkowetz, Phil Roberts, Vidya Gerardo Giaretta, Wassim Haddad, Andy, Huang, Dirk von Hugo, Julien
Narayanan, and Pekka Savola (in alphabetical order) for valuable Laganier, Henrik Levkowetz, Vidya Narayanan, Phil Roberts, and Pekka
comments and suggestions regarding this document. Savola (in alphabetical order) for valuable comments and suggestions
regarding this document.
7. Informative References 8. References
8.1 Normative References
[1] Kempf, J., "Problem Statement for Network-based Localized [1] Kempf, J., "Problem Statement for Network-based Localized
Mobility Management", IETF Internet Draft Mobility Management", IETF Internet Draft
draft-ietf-netlmm-nohost-ps-04.txt (work in progress), draft-ietf-netlmm-nohost-ps-04.txt (work in progress),
June 2006. June 2006.
[2] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor [2] Manner, J. and M. Kojo, "Mobility Related Terminology",
Discovery (ND) Trust Models and Threats", IETF Request for
Comments 3756, May 2004.
[3] Manner, J. and M. Kojo, "Mobility Related Terminology",
IETF Request for Comments 3753, June 2004. IETF Request for Comments 3753, June 2004.
[4] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network 8.2 Informative References
Access Identifier", IETF Request for Comments 4282,
December 2005.
[5] Aura, T., "Cryptographically Generated Addresses (CGA)", [3] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor
IETF Request for Comments 3972, March 2005. Discovery (ND) Trust Models and Threats", IETF Request for
Comments 3756, May 2004.
[6] Soliman, H., Castelluccia, C., El Malki, K., and L. Bellier, [4] Soliman, H., Castelluccia, C., El Malki, K., and L. Bellier,
"Hierarchical Mobile IPv6 Mobility Management (HMIPv6)", "Hierarchical Mobile IPv6 Mobility Management (HMIPv6)",
IETF Request for Comments 4140, August 2005. IETF Request for Comments 4140, August 2005.
[7] Kempf, J., Narayanan, S., Nordmark, E., Pentland, B., and JH. [5] Narten, T., "Neighbor Discovery for IP version 6 (IPv6)",
IETF Internet Draft draft-ietf-ipv6-2461bis-07.txt (work in
progress), May 2006.
[6] Kempf, J., Narayanan, S., Nordmark, E., Pentland, B., and JH.
Choi, "Detecting Network Attachment in IPv6 Networks (DNAv6)", Choi, "Detecting Network Attachment in IPv6 Networks (DNAv6)",
IETF Internet Draft draft-ietf-dna-protocol-01.txt (work in IETF Internet Draft draft-ietf-dna-protocol-01.txt (work in
progress), June 2006. progress), June 2006.
[8] Narten, T., "Neighbor Discovery for IP version 6 (IPv6)", [7] Droms, R., Bound, J., Volz, B., Lemon, T., E., C., and M.
IETF Internet Draft draft-ietf-ipv6-2461bis-07.txt (work in
progress), May 2006.
[9] Droms, R., Bound, J., Volz, B., Lemon, T., E., C., and M.
Carney, "Dynamic Host Configuration Protocol for IPv6 Carney, "Dynamic Host Configuration Protocol for IPv6
(DHCPv6)", IETF Request for Comments 3315, July 2003. (DHCPv6)", IETF Request for Comments 3315, July 2003.
[10] Giaretta, G., "NetLMM Protocol", IETF Internet Draft [8] CERT Coordination Center, "CERT Advisory CA-1996-21 TCP SYN
Flooding and IP Spoofing Attacks", September 1996.
[9] CERT Coordination Center, "CERT Advisory CA-1998-01 Smurf IP
Denial-of-Service Attacks", January 1998.
[10] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", IETF Request for Comments 2827, May 2000.
[11] Giaretta, G., "NetLMM Protocol", IETF Internet Draft
draft-giaretta-netlmm-dt-protocol-00.txt (work in progress), draft-giaretta-netlmm-dt-protocol-00.txt (work in progress),
June 2006. June 2006.
[11] Laganier, J., Narayanan, S., and F. Templin, "Network-based [12] Laganier, J., Narayanan, S., and F. Templin, "Network-based
Localized Mobility Management Interface between Mobile Node and Localized Mobility Management Interface between Mobile Node and
Access Router", IETF Internet Draft Access Router", IETF Internet Draft
draft-ietf-netlmm-mn-ar-if-01.txt (work in progress), draft-ietf-netlmm-mn-ar-if-01.txt (work in progress),
June 2006. June 2006.
[13] Aura, T., "Cryptographically Generated Addresses (CGA)",
IETF Request for Comments 3972, March 2005.
[14] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network
Access Identifier", IETF Request for Comments 4282,
December 2005.
Authors' Addresses Authors' Addresses
Christian Vogt Christian Vogt
Institute of Telematics Institute of Telematics
Universitaet Karlsruhe (TH) Universitaet Karlsruhe (TH)
P.O. Box 6980 P.O. Box 6980
76128 Karlsruhe 76128 Karlsruhe
Germany Germany
Email: chvogt@tm.uka.de Email: chvogt@tm.uka.de
skipping to change at page 12, line 28 skipping to change at page 14, line 41
181 Metro Drive, Suite 300 181 Metro Drive, Suite 300
San Jose, CA 95110 San Jose, CA 95110
USA USA
Phone: +1 408 451 4711 Phone: +1 408 451 4711
Email: kempf@docomolabs-usa.com Email: kempf@docomolabs-usa.com
Appendix A. Change Log Appendix A. Change Log
The following is a list of technical changes that were made from The following is a list of technical changes that were made from
version 02 to version 03 of the document. Editorial revisions are
not explicitly mentioned.
o Changed the terminology from "network access identity" to "mobile
node identity" as the previous term was frequently confused with
the different "network access identifier" (NAI). Removed the
special "Network Access Identity" subsection in Section 3. The
mobile node identity is now first mentioned in Section 1, which
fits well with the nutshell description of the NETLMM
architecture. The security requirements of the mobile node
identifier are discussed in the introductory text of Section 3.
This makes more sense than a special subsection because the text,
on one hand, provides the necessary basis to understand the
following subsections, while on the other hand, it does not really
explain an attack itself.
o Section 1: Extended the description of conceptual actors in the
localized mobility management architecture and added a summary of
potential attack objectives and attack targets.
o Section 3.1: Granularity of ingress filtering may be coarser in a
localized mobility mangement domain. It may also allow off-link
IP spoofing since prefixes are not limited to a specific link.
o Section 2.2: The threat of replay attacks was not mentioned in
this section. It was added.
o Section 3.1: The threat of replay attacks was not mentioned in
this section. It was added.
o Section 2.2: Causing spurious route updates may lead to DoS
against the localized mobility management domain. This threat was
missing in the discussion of this section and it was added.
o Section 3.1: Causing spurious route updates may lead to DoS
against the localized mobility management domain. This threat was
missing in the discussion of this section and it was added.
o Section 4: Moved DoS attack against a localized mobility
management domain from the Internet to a separate section because
it is not specific to either interface within the domain.
o Revised the document with respect to the recent agreement the
addressing model.
o Revised the document with respect to the the possibility that
there may be more than one LMA. The text was initially written
under the assumption that the LMA is unique.
o References split into normative and informative references.
The following is a list of technical changes that were made from
version 01 to version 02 of the document. Editorial revisions are version 01 to version 02 of the document. Editorial revisions are
not explicitly identified. not explicitly mentioned.
o Section 2.1: Included DoS/flooding attack against MAG. Also o Section 2.1: Included DoS/flooding attack against MAG. Also
clarified how a malicious node off the control plane path between clarified how a malicious node off the control plane path between
the authorized LMA and one or multiple target MAGs could the authorized LMA and one or multiple target MAGs could
impersonate the authorized LMA against the MAGs. Such an attacker impersonate the authorized LMA against the MAGs. Such an attacker
could use various means to interfer with data plane traffic even could use various means to interfere with data plane traffic even
if it is off the original data plane path between the legitimate if it is off the original data plane path between the legitimate
LMA and the MAGs. LMA and the MAGs.
o Section 2.2: Malicious MAG may deregister an actively o Section 2.2: Malicious MAG may deregister an actively
communicating mobile node, without consent of the mobile node. communicating mobile node, without consent of the mobile node.
o Section 2.3: Included related threats pertaining to MITM between o Section 2.3: Included related threats pertaining to MITM between
LMA and MAG, which were formerly described in other sections. LMA and MAG, which were formerly described in other sections.
o Section 2.4: Included description of DoS/flooding attack against o Section 4: Included description of DoS/flooding attack against
LMA, including its impact on the target MAGs, their links, and the LMA, including its impact on the target MAGs, their links, and the
target mobile nodes. target mobile nodes.
o Section 3: Revised the structure of this section. Threats are o Section 3: Revised the structure of this section. Threats are
now divided into attacks against a mobile node's network access now divided into attacks against a mobile node's network access
identity; impersonation of a mobile node, both from the mobile identity; impersonation of a mobile node, both from the mobile
node's link and from off link; as well as man-in-the-middle node's link and from off link; as well as man-in-the-middle
attacks. attacks.
o Section 3.1: The binding with the network access identity may be o Section 1: The binding with the network access identity may be
with the authentication keys associated with the mobile node's IP with the authentication keys associated with the mobile node's IP
address, not necessarily with the IP addresses themselves. address, not necessarily with the IP addresses themselves.
o Section 3.2: Off-link attack may be mounted from a link that o Section 3.1: Off-link attack may be mounted from a link that
connects to a different MAG than the victim mobile node's MAG. connects to a different MAG than the victim mobile node's MAG.
Intellectual Property Statement Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
 End of changes. 62 change blocks. 
231 lines changed or deleted 383 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/